SuperRare Exploit: How a Simple Smart Contract Bug Led to a $730K Loss

NFT trading platform SuperRare found itself in hot water on Monday after a basic smart contract error led to an exploit costing approximately $731,000 in RARE tokens. According to blockchain security firm Cyvers, the vulnerability was exploited due to flawed access control logic in SuperRare’s staking contract — a bug that cybersecurity experts say should have been caught in routine testing.

The Flawed Function That Opened the Door

At the heart of the exploit was a function intended to allow only specific addresses — such as the contract owner — to update the Merkle root, a key component used to determine staking balances. However, due to a reversal in logic, the contract instead allowed any address to interact with and alter this critical function.

The error was so blatant that it could be spotted by AI. Cointelegraph confirmed that OpenAI’s o3 model (used in ChatGPT) was able to identify the issue almost immediately. “ChatGPT would’ve caught this,” said 0xAw, lead developer at Alien Base. “Any half-competent Solidity dev would’ve caught this. Basically anyone, if they looked.”

SuperRare co-founder Jonathan Perkins clarified that no core protocol funds were impacted and pledged that affected users — reportedly 61 wallets — would be fully compensated. “We’ve learned from it, and now future changes will go through a much more robust review pipeline,” he said.

Anatomy of the Vulnerability: Reversed Logic

The contract checked whether the caller was not a specific address or the owner — effectively inverting the intended restriction. This gave open access to anyone to exploit the staking contract and siphon funds.

“This stands as a stark reminder: in decentralized systems, even a one-character mistake can have severe consequences,” said Slava Demchuk, CEO of AMLBot.

Mike Tiutin, CTO at AMLBot, echoed the sentiment, calling the bug “a silly mistake” that should’ve been caught with proper unit test coverage.

The exploit reinforces the importance of unit tests — small, automated checks that ensure individual functions work as intended. “If unit tests were in place, especially for access control checks, this bug would have been caught,” said a senior engineer at Nexus Mutual.

According to Demchuk, “The effect was the same: an avoidable vulnerability that cost massively.” The lack of adequate testing — including a possible absence of a bug bounty program — allowed a simple oversight to make it into production.

SuperRare’s Path Forward

Perkins admitted the bug was introduced late in the development cycle and wasn’t part of final test scenarios. Moving forward, he confirmed that SuperRare will implement stricter workflows, including mandatory re-audits for any post-audit changes, no matter how minor.

As 0xAw noted, this wasn’t a complex or cleverly hidden exploit. It was, in his words, “a normal human error” — but one that had serious consequences because no one double-checked it. “It’s not even code that works under normal conditions and fails in edge cases. This code just does the opposite of what you’d expect.”

Yehor Rudytsia, head of incident response at Hacken, summed it up: “If reviewing this function, it’s a pretty obvious bug.”